fix(ci): point Dependabot npm at the workspace root only#772
Open
ogazboiz wants to merge 1 commit into
Open
Conversation
flowfi is a single npm workspace (frontend + backend hoisted into one root package-lock.json). dependabot.yml declared separate npm ecosystems for /frontend and /backend, but those only bump the directory's package.json without updating the root lockfile that CI runs `npm ci` against. Every PR they opened therefore died at install with: npm error `npm ci` can only install packages when your package.json and package-lock.json ... are in sync npm error Invalid: lock file's next@16.2.7 does not satisfy next@16.2.9 The root "/" npm entry already covers the whole workspace and updates the root lockfile (those PRs, e.g. the grouped minor-and-patch one, pass CI). Drop the two per-directory npm entries so future Dependabot PRs install cleanly.
This was referenced Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
flowfi is a single npm workspace (frontend + backend hoisted into one root
package-lock.json).dependabot.ymldeclared separate npm ecosystems for/frontendand/backend, but those entries only bump the directory'spackage.jsonwithout updating the root lockfile that CI runsnpm ciagainst.Result: every Dependabot PR from those two entries dies at install:
That is exactly why PRs #764-#770 are all red on Backend CI / Frontend CI / Backend npm test / Vuln Scan, while the grouped root PR (#771) passed and merged cleanly.
Fix
Drop the redundant
/frontendand/backendnpm entries. The root/npm entry already covers the whole workspace and updates the root lockfile, so future Dependabot PRs will install cleanly. Cargo and github-actions entries are unchanged.Follow-up (separate)
The currently-open PRs #764-#770 were generated by the now-removed entries and cannot pass as-is; they should be closed (Dependabot will re-propose the relevant bumps from the root entry on the next run). #763 (soroban-sdk 22 -> 26) is a real major Rust bump that needs a contracts migration, not a lockfile fix.